Defending Web Applications Security Essentials

This Simulcast class will be broadcast LIVE from CDI 2017. Don't miss this opportunity to take DEV522 with Dr. Johannes Ullrich without leaving home!

Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an organization.

Brandon Smit, Dynetics

Great course for people starting into security essentials.

Alex Largie, Navajo Nation

This is the course to take if you have to defend web applications!

The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defenses, such as firewalls, fail to secure web applications. DEV522 covers the OWASP Top 10 Risks and will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world applications that have been proven to work. The testing aspect of vulnerabilities will also be covered so that you can ensure your application is tested for the vulnerabilities discussed in class.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding-level implementation.

DEV522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications.

The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:

Infrastructure security

Server configuration

Authentication mechanisms

Application language configuration

Application coding errors like SQL injection and cross-site scripting

Cross-site request forging

Authentication bypass

Web services and related flaws

Web 2.0 and its use of web services

XPATH and XQUERY languages and injection

Business logic flaws

Protective HTTP headers

The course will make heavy use of hands-on exercises and concludes with a large defensive exercise that reinforces the lessons learned throughout the week.

How to comprehensively remediate common web application vulnerabilities.

How to apply defensive application design and coding practices to avoid security vulnerabilities.

The HTTP protocol and new technologies such as SPDY and Websockets that affect the protocol stack.

How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.

How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.

How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.

How to design better and stronger security architecture that includes infrastructure aspects in the design process.

How to understand cutting-edge web technologies (such as HTML5) and their security implications, avoiding security issues when utilizing these newer technologies.

Course Syllabus

DEV522.1: Web Basics and Authentication Security

Overview

We begin day one with an overview of recent web application attack and security trends, then follow up by examining the essential technologies that are at play in web applications. You cannot win the battle if you do not understand what you are trying to defend. We arm you with the right information so you can understand how web applications work and the security concepts related to them.

We discuss the authentication aspect of web applications in depth. The vulnerability of authentication is covered, followed by examples of exploitation and the mitigations that can be implemented in the short and long term. We complete the discussion by providing information on how to discover and test for vulnerabilities.

Authorization is the last topic of discussion for the day: the goal is to make sure that applications properly control access to the appropriate resources. You will learn the right way to plan for access during the development life cycle and the common pitfalls with access control. Similar to the discussion on authentication, we start with the vulnerabilities and then move on to mitigations and testing, followed by a section on best practices on authorization.

CPE/CMU Credits: 6

Topics

HTTP basics

Overview of web technologies

Web application architecture

Recent attack trends

Authentication vulnerabilities and defense

Authorization vulnerabilities and defense

DEV522.2: Web Application Common Vulnerabilities and Mitigations

Overview

Since the Internet does not guarantee the secrecy of information being transferred, encryption is commonly used to protect the integrity and secrecy of information on the web. This course day covers the security of data in transit or on disk and how encryption can help with securing that information in the context of web application security.

We continue with a discussion about session management in web applications. We will go over a hacker's technique in attacking the session mechanism and related defense strategies. Best practices of session security will be discussed to ensure your application's session management is as strong as possible. Advanced session topics like cross-site request forgery will also be covered.

Next we will cover business logic flaws and concurrency. These are difficult topics to detect with automated scanners, so it is essential that security professionals understand these problems and avoid them at all costs.

The day ends with analysis of some basic input-related flaws, as well as SQL injection. The basic mechanics of these vulnerabilities are covered, followed by real-world attack trends. Most importantly, we delve into the mitigation of these vulnerabilities and best practices to avoid these critical vulnerabilities.

DEV522.3: Proactive Defense and Operation Security

Overview

Day three begins with a detailed discussion on cross-site scripting and related mitigation and testing strategies, as well as HTTP response splitting.

The code in an application may be totally locked down, but if the server setting is insecure, the server running the application can be easily compromised. Locking down the web environment is essential, so we cover this basic concept of defending the platform and host.

To enable any detection of intrusion, logging and error handling must be done correctly. We will discuss the correct approach to handling incidents and logs, then dive even further to cover the intrusion detection aspect of web application security.

In the afternoon we turn our focus to the proactive defense mechanism so that we are ahead of the bad guys in the game of hack and defend. We will cover such topics such as file upload handling, intrusion detection, honeypot, redirection, extra in-depth authentication information, and practical input validation strategy. The material is designed to give you the extra edge in defending your application.

CPE/CMU Credits: 6

Topics

Cross-site scripting vulnerability and defenses

Web environment configuration security

Intrusion detection in web application

Incident handling

Honeytoken

DEV522.4: AJAX and Web Services Security

Overview

Day four is dedicated to the security of asynchronous JavaScript and XML (AJAX) and web services, which are currently the most active areas in web application development. Security issues continue to arise as organizations dive head first into insecurely implementing new web technologies without first understanding them.

We will cover security issues, mitigation strategies, and general best practices for implementing AJAX and web services. We will also examine real-world attacks and trends to give you a better understanding of exactly what you are protecting against. Discussion focuses on the web services in the morning and AJAX technologies in the afternoon.

CPE/CMU Credits: 6

Topics

Web services overview

Security in parsing of XML

XML security

AJAX technologies overview

AJAX attack trends and common attacks

AJAX defense

DEV522.5: Cutting-Edge Web Security

Overview

Day five focuses on cutting-edge web application technologies and current research area. Topics such as clickjacking and DNS rebinding are covered. These vulnerabilities are difficult to defend and multiple defense strategies are needed for their defense to be successful.

Another topic of discussion is the new generation of single-sign-on solutions such as OpenID. We cover the implications of using these authentication systems and the common "gotchas" to avoid.

With the Web2.0 adoption, the use of Java applet, Flash, ActiveX, and Silverlight are on the increase. The security strategies of defending these technologies are discussed so that these client-side technologies can be locked down properly.

CPE/CMU Credits: 6

Topics

Clickjacking

DNS rebinding

Flash security

Java applet security

Single-sign-on solution and security

IPv6 impact on web security

DEV522.6: Capture and Defend the Flag Exercise

Overview

Day six starts with an introduction to the secure software development life cycle and how to apply it to web development. But the focus is a large lab that will tie together the lessons learned during the week and reinforce them with hands-on applications. Students will be provided with a virtual machine to implement a complete database-driven dynamic website. In addition, they will use a custom tool to enumerate security vulnerabilities and simulate a vulnerability assessment of the website. Students will then have to decide which vulnerabilities are real and which are false positives, and then mitigate the vulnerabilities. The scanner will score the student as vulnerabilities are eliminated or checked off as false positives. Advanced students will be able to extend this exercise and find vulnerabilities not presented by the scanner.

Students will learn through these hands-on exercises how to secure the web application, starting with the operating system, the web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.

CPE/CMU Credits: 6

Topics

Mitigation of server configuration errors

Discovering and mitigating coding problems

Testing business logic issues and fixing problems

Web services testing and security problem mitigation

Reinforcement through exercises of key topics discussed throughout the course.

Additional Information

Laptop Required

It cannot be stressed enough that if your laptop does not meet minimum configuration requirements, you will not be able to participate in this course.

Students attending this course are required to bring their own laptops pre-configured per the instructions below. This must be done before class starts.

Mandatory Laptop Hardware Requirements

2GHz processor

4GB RAM with 6 GB or higher recommended

20GB free hard disk space

An unused USB slot

A laptop with Windows 7, 8 or 10 is required with the latest Service Packs and patches. Please install VMWare Workstation Player 12, VMware Workstation 10, or a more recent version of either product on the laptop. You may download VMWare Workstation Player for free here (http://www.vmware.com/products/player/)

VMWare Fusion 7, 8 or later for Mac OS X can be used for Apple MacBooks provided the hardware requirements above are met.

You must have administrative privileges on the laptop with the ability to disable the host firewall (the Windows firewall or other third-party firewall) and anti-virus running on your desktop. At the beginning of class you will be given a Linux VMWare image. This image will be booted within VMware as a virtual machine for all the exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Application developers

Application security analysts or managers

Application architects

Penetration testers who are interested in learning about defensive strategies

Security professionals who are interested in learning about web application security

Auditors who need to understand defensive mechanisms in web applications

Employees of PCI compliant organizations who need to be trained to comply with PCI requirements

Prerequisites

This class requires a basic understanding of web application technology and concepts such as HTML and JavaScript.

Hands-on Training

Full-day lab with hands-on exercises on how to secure a web application, starting with the operating system, the web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.

Press & Reviews

"Not only does DEV22 teach the defenses for securing web apps, it also shows how common and easy the attacks are and thus the need to secure the apps." - Brandon Hardin, ITC

"I think DEV522 is absolutely necessary to all techies who work on web applications. I don't think developers understand the great necessity of web security and why it is so important." - Mahesh Kandru, Cabela's

"Specific and hands on training regarding webserver and browser security as it is presented in DEV522 is valuable! The cost of bugs and vulnerabilities can be immeasurable." - Josh Hegg, Tripwire

Author Statement

Too many websites are getting compromised these days. The goal of DEV522 is to arm students with defensive strategies that can work for all web applications. We all know it is very difficult to defend a web application because there are so many different types of vulnerabilities and attack channels. Overlook one thing and your web app is owned. The defensive perimeter needs to extend far beyond just the coding aspects of web application. This course covers the security vulnerabilities so that students have a good understanding of the problems at hand. We then provide the defensive strategies and tricks, as well as the overall architecture, that have been proven to help secure sites. I have also included some case studies throughout the course so we can learn from the mistakes of others and make our own defense stronger. The exercises in class are designed to help you further your understanding and help you retain this knowledge through hands-on practice. By the end of the course, you will have the practical skills and understanding of the defensive strategies to lock down existing applications and build more secure applications in the future.